Why Authentication Matters

Your API is wide open

Right now, anyone who knows your API's URL can create, read, update, and delete any expense. There are no user accounts, no passwords, and no way to tell who sent a request. Every endpoint is fully public.

That was fine while you were building and testing. But a real API needs to control access. You need to know who is making each request before you decide whether to allow it.

What authentication means

Authentication answers one question: who are you? The user provides credentials (an email and password), and the server verifies them. If the credentials match, the server knows who the user is.

Authorization is a separate question: what are you allowed to do? This course focuses on authentication. Once you know who the user is, you can restrict their access to only their own expenses.

What you will build

This lesson creates a new file called auth.py — a self-contained authentication module. By the end, it will contain four pieces:

• User model: a database table for user accounts with an email and a hashed password
• Password hashing: two functions that hash passwords for storage and verify them during login
• Token creation: a function that generates a signed JSON Web Token after a successful login
• Token verification: a function that decodes a token from an incoming request and looks up the user

Lesson 2 connects this module to your FastAPI app with register and login endpoints. Lesson 3 locks down the expense endpoints so only authenticated users can access them.